Zero Trust

zero_trust

zero_trust.access

Domain types

AccessDevicePostureRule = { device_posture }

Enforces a device posture rule has run successfully

AccessRule = | | { auth_context } | 18 more...

Matches an Access group.

AnyValidServiceTokenRule = { any_valid_service_token }

Matches any valid Access Service Token

AuthenticationMethodRule = { auth_method }

Enforce different MFA options

AzureGroupRule = { azureAD }

Matches an Azure group. Requires an Azure identity provider.

CertificateRule = { certificate }

Matches any valid client certificate.

CountryRule = { geo }

Matches a specific country

DomainRule = { email_domain }

Match an entire email domain.

EmailListRule = { email_list }

Matches an email address from a list.

EmailRule = { email }

Matches a specific email.

EveryoneRule = { everyone }

Matches everyone.

ExternalEvaluationRule = { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

GitHubOrganizationRule = { github-organization }

Matches a Github organization. Requires a Github identity provider.

GroupRule = { group }

Matches an Access group.

GSuiteGroupRule = { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

IPListRule = { ip_list }

Matches an IP address from a list.

IPRule = { ip }

Matches an IP address block.

OktaGroupRule = { okta }

Matches an Okta group. Requires an Okta identity provider.

SAMLGroupRule = { saml }

Matches a SAML group. Requires a SAML identity provider.

ServiceTokenRule = { service_token }

Matches a specific Access Service Token

Zero TrustAccess

Applications

zero_trust.access.applications

Methods

Add An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
post/{account_or_zone}/{account_or_zone_id}/access/apps

Adds a new application to Access.

Delete An Access Application -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Deletes an application from Access.

Get An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Fetches information about an Access application.

List Access Applications -> SinglePage<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
get/{account_or_zone}/{account_or_zone_id}/access/apps

Lists all Access applications in an account or zone.

Revoke Application Tokens -> Envelope<unknown>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens

Revokes all tokens issued for an application.

Update An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
put/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Updates an Access application.

Domain types

AllowedHeaders = string
AllowedIdPs = string

The identity providers selected for application.

AllowedMethods = "GET" | "POST" | "HEAD" | 6 more...
AllowedOrigins = string
AppID = string

Identifier

Application = { domain, type, id, 19 more... } | { id, allowed_idps, app_launcher_visible, 9 more... } | { domain, type, id, 19 more... } | 5 more...
ApplicationPolicy = { id, approval_groups, approval_required, 11 more... }
ApplicationSCIMConfig = { idp_uid, remote_uri, authentication, 3 more... }

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ApplicationType = "self_hosted" | "saas" | "ssh" | 7 more...

The application type.

CORSHeaders = { allow_all_headers, allow_all_methods, allow_all_origins, 5 more... }
Decision = "allow" | "deny" | "non_identity" | 1 more...

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

OIDCSaaSApp = { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more... }
SaaSAppNameIDFormat = "id" | "email"

The format of the name identifier sent to the SaaS application.

SAMLSaaSApp = { auth_type, consumer_service_url, created_at, 10 more... }
SCIMConfigAuthenticationHTTPBasic = { password, scheme, user }

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

SCIMConfigAuthenticationOauth2 = { authorization_url, client_id, client_secret, 3 more... }

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

SCIMConfigAuthenticationOAuthBearerToken = { token, scheme }

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

SCIMConfigMapping = { schema, enabled, filter, 3 more... }

Transformations and filters applied to resources before they are provisioned in the remote SCIM service.

SelfHostedDomains = string

A domain that Access will secure.

zero_trust.access.applications.cas

Methods

Create A Short Lived Certificate CA -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Generates a new short-lived certificate CA and public key.

Delete A Short Lived Certificate CA -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Deletes a short-lived certificate CA.

Get A Short Lived Certificate CA -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Fetches a short-lived certificate CA and its public key.

List Short Lived Certificate CAs -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/ca

Lists short-lived certificate CAs and their public keys.

Domain types

CA = { id, aud, public_key }

zero_trust.access.applications.policies

Methods

Create An Access Application Policy -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies

Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.

Delete An Access Application Policy -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.

Get An Access Application Policy -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.

List Access Application Policies -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies

Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.

Update An Access Application Policy -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.

zero_trust.access.applications.policy_tests

Methods

Start Access Policy Test -> { id, status }
post/accounts/{account_id}/access/policy-tests

Starts an Access policy test.

Get The Current Status Of A Given Access Policy Test -> { id, pages_processed, percent_approved, 6 more... }
get/accounts/{account_id}/access/policy-tests/{policy_test_id}

Fetches the current status of a given Access policy test.

zero_trust.access.applications.policy_tests.users

Methods

Get An Access Policy Test Users Page -> Array<{ id, email, name, 1 more... }>
get/accounts/{account_id}/access/policy-tests/{policy_test_id}/users

Fetches a single page of user results from an Access policy test.

zero_trust.access.applications.user_policy_checks

Methods

Test Access Policies -> Envelope<{ app_state, user_identity }>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks

Tests if a specific user has permission to access an application.

Domain types

UserPolicyCheckGeo = { country }

zero_trust.access.bookmarks

Methods

Create A Bookmark Application -> Envelope<>
post/accounts/{account_id}/access/bookmarks/{bookmark_id}

Create a new Bookmark application.

Delete A Bookmark Application -> Envelope<{ id }>
delete/accounts/{account_id}/access/bookmarks/{bookmark_id}

Deletes a Bookmark application.

Get A Bookmark Application -> Envelope<>
get/accounts/{account_id}/access/bookmarks/{bookmark_id}

Fetches a single Bookmark application.

List Bookmark Applications -> SinglePage<>
get/accounts/{account_id}/access/bookmarks

Lists Bookmark applications.

Update A Bookmark Application -> Envelope<>
put/accounts/{account_id}/access/bookmarks/{bookmark_id}

Updates a configured Bookmark application.

Domain types

Bookmark = { id, app_launcher_visible, created_at, 4 more... }
Zero TrustAccess

Certificates

zero_trust.access.certificates

Methods

Add An M TLS Certificate -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/certificates

Adds a new mTLS root certificate to Access.

Delete An M TLS Certificate -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Deletes an mTLS certificate.

Get An M TLS Certificate -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Fetches a single mTLS certificate.

List M TLS Certificates -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/certificates

Lists all mTLS root certificates.

Update An M TLS Certificate -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Updates a configured mTLS certificate.

Domain types

AssociatedHostnames = string

A fully-qualified domain name (FQDN).

Certificate = { id, associated_hostnames, created_at, 4 more... }

zero_trust.access.certificates.settings

Methods

List All M TLS Hostname Settings -> Envelope<Array<>>
get/{account_or_zone}/{account_or_zone_id}/access/certificates/settings

List all mTLS hostname settings for this account or zone.

Update An M TLS Certificate S Hostname Settings -> Envelope<Array<>>
put/{account_or_zone}/{account_or_zone_id}/access/certificates/settings

Updates an mTLS certificate's hostname settings.

Domain types

CertificateSettings = { china_network, client_certificate_forwarding, hostname }
Zero TrustAccess

Custom Pages

zero_trust.access.custom_pages

Methods

Create A Custom Page -> Envelope<>
post/accounts/{account_id}/access/custom_pages

Create a custom page

Delete A Custom Page -> Envelope<{ id }>
delete/accounts/{account_id}/access/custom_pages/{custom_page_id}

Delete a custom page

Get A Custom Page -> Envelope<>
get/accounts/{account_id}/access/custom_pages/{custom_page_id}

Fetches a custom page and also returns its HTML.

List Custom Pages -> SinglePage<>
get/accounts/{account_id}/access/custom_pages

List custom pages

Update A Custom Page -> Envelope<>
put/accounts/{account_id}/access/custom_pages/{custom_page_id}

Update a custom page

Domain types

CustomPage = { custom_html, name, type, 4 more... }
CustomPageWithoutHTML = { name, type, app_count, 3 more... }

zero_trust.access.gateway_ca

Methods

Add A New SSH Certificate Authority CA -> Envelope<{ id, public_key }>
post/accounts/{account_id}/access/gateway_ca

Adds a new SSH Certificate Authority (CA).

Delete An SSH Certificate Authority CA -> Envelope<{ id }>
delete/accounts/{account_id}/access/gateway_ca/{certificate_id}

Deletes an SSH Certificate Authority.

List SSH Certificate Authorities CA -> SinglePage<{ id, public_key }>
get/accounts/{account_id}/access/gateway_ca

Lists SSH Certificate Authorities (CA).

zero_trust.access.groups

Methods

Create An Access Group -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/groups

Creates a new Access group.

Delete An Access Group -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Deletes an Access group.

Get An Access Group -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Fetches a single Access group.

List Access Groups -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/groups

Lists all Access groups.

Update An Access Group -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Updates a configured Access group.

Domain types

ZeroTrustGroup = { id, created_at, exclude, 5 more... }
Zero TrustAccess

Infrastructure

zero_trust.access.infrastructure

zero_trust.access.infrastructure.targets

Methods

Delete Targets ->
delete/accounts/{account_id}/infrastructure/targets/batch

Removes one or more targets.

Create New Targets -> Array<{ id, created_at, hostname, 2 more... }>
put/accounts/{account_id}/infrastructure/targets/batch

Adds one or more targets.

Create New Target -> Envelope<{ id, created_at, hostname, 2 more... }>
post/accounts/{account_id}/infrastructure/targets

Create new target

Delete Target ->
delete/accounts/{account_id}/infrastructure/targets/{target_id}

Delete target

Get Target -> Envelope<{ id, created_at, hostname, 2 more... }>
get/accounts/{account_id}/infrastructure/targets/{target_id}

Get target

List All Targets -> V4PagePaginationArray<{ id, created_at, hostname, 2 more... }>
get/accounts/{account_id}/infrastructure/targets

Lists and sorts an account’s targets. Filters are optional and are ORed together. However, when a timestamp is specified with both its before and after counterparts, the timestamp filters are ANDed.

Update Target -> Envelope<{ id, created_at, hostname, 2 more... }>
put/accounts/{account_id}/infrastructure/targets/{target_id}

Update target

zero_trust.access.keys

Methods

Get The Access Key Configuration -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
get/accounts/{account_id}/access/keys

Gets the Access key rotation settings for an account.

Rotate Access Keys -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
post/accounts/{account_id}/access/keys/rotate

Perfoms a key rotation for an account.

Update The Access Key Configuration -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
put/accounts/{account_id}/access/keys

Updates the Access key rotation settings for an account.

zero_trust.access.logs

Zero TrustAccessLogs

Access Requests

zero_trust.access.logs.access_requests

Methods

Get Access Authentication Logs -> Envelope<Array<>>
get/accounts/{account_id}/access/logs/access_requests

Gets a list of Access authentication audit logs for an account.

Domain types

AccessRequests = { action, allowed, app_domain, 6 more... }

zero_trust.access.policies

Methods

Create An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
post/accounts/{account_id}/access/policies

Creates a new Access reusable policy.

Delete An Access Reusable Policy -> Envelope<{ id }>
delete/accounts/{account_id}/access/policies/{policy_id}

Deletes an Access reusable policy.

Get An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
get/accounts/{account_id}/access/policies/{policy_id}

Fetches a single Access reusable policy.

List Access Reusable Policies -> SinglePage<{ id, app_count, approval_groups, 13 more... }>
get/accounts/{account_id}/access/policies

Lists Access reusable policies.

Update An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
put/accounts/{account_id}/access/policies/{policy_id}

Updates a Access reusable policy.

Domain types

ApprovalGroup = { approvals_needed, email_addresses, email_list_uuid }

A group of email addresses that can approve a temporary authentication request.

Policy = { id, approval_groups, approval_required, 11 more... }
Zero TrustAccess

Service Tokens

zero_trust.access.service_tokens

Methods

Create A Service Token -> Envelope<{ id, client_id, client_secret, 4 more... }>
post/{account_or_zone}/{account_or_zone_id}/access/service_tokens

Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.

Delete A Service Token -> Envelope<>
delete/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Deletes a service token.

Get A Service Token -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Fetches a single service token.

List Service Tokens -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/service_tokens

Lists all service tokens.

Refresh A Service Token -> Envelope<>
post/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh

Refreshes the expiration of a service token.

Rotate A Service Token -> Envelope<{ id, client_id, client_secret, 4 more... }>
post/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate

Generates a new Client Secret for a service token and revokes the old one.

Update A Service Token -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Updates a configured service token.

Domain types

ServiceToken = { id, client_id, created_at, 4 more... }

zero_trust.access.tags

Methods

Create A Tag -> Envelope<>
post/accounts/{account_id}/access/tags

Create a tag

Delete A Tag -> Envelope<{ name }>
delete/accounts/{account_id}/access/tags/{tag_name}

Delete a tag

Get A Tag -> Envelope<>
get/accounts/{account_id}/access/tags/{tag_name}

Get a tag

List Tags -> SinglePage<>
get/accounts/{account_id}/access/tags

List tags

Update A Tag -> Envelope<>
put/accounts/{account_id}/access/tags/{tag_name}

Update a tag

Domain types

Tag = { name, app_count, created_at, 1 more... }

A tag

zero_trust.access.users

Methods

Get Users -> SinglePage<>
get/accounts/{account_id}/access/users

Gets a list of users for an account.

Domain types

AccessUser = { id, access_seat, active_device_count, 8 more... }
Zero TrustAccessUsers

Active Sessions

zero_trust.access.users.active_sessions

Methods

Get Single Active Session -> Envelope<{ account_id, auth_status, common_name, 16 more... }>
get/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}

Get an active session for a single user.

Get Active Sessions -> SinglePage<{ expiration, metadata, name }>
get/accounts/{account_id}/access/users/{user_id}/active_sessions

Get active sessions for a single user.

zero_trust.access.users.failed_logins

Methods

Get Failed Logins -> SinglePage<{ expiration, metadata }>
get/accounts/{account_id}/access/users/{user_id}/failed_logins

Get all failed login attempts for a single user.

Zero TrustAccessUsers

Last Seen Identity

zero_trust.access.users.last_seen_identity

Methods

Get Last Seen Identity -> Envelope<>
get/accounts/{account_id}/access/users/{user_id}/last_seen_identity

Get last seen identity for a single user.

Domain types

Identity = { account_id, auth_status, common_name, 15 more... }
Zero Trust

Connectivity Settings

zero_trust.connectivity_settings

Methods

Updates The Zero Trust Connectivity Settings -> Envelope<{ icmp_proxy_enabled, offramp_warp_enabled }>
patch/accounts/{account_id}/zerotrust/connectivity_settings

Updates the Zero Trust Connectivity Settings for the given account.

Get Zero Trust Connectivity Settings -> Envelope<{ icmp_proxy_enabled, offramp_warp_enabled }>
get/accounts/{account_id}/zerotrust/connectivity_settings

Gets the Zero Trust Connectivity Settings for the given account.

Zero Trust

Devices

zero_trust.devices

Methods

Get Device Details -> Envelope<{ id, account, created, 16 more... }>
get/accounts/{account_id}/devices/{device_id}

Fetches details for a single device.

List Devices -> SinglePage<>
get/accounts/{account_id}/devices

Fetches a list of enrolled devices.

Domain types

Device = { id, created, deleted, 17 more... }

zero_trust.devices.dex_tests

Methods

Create Device DEX Test -> Envelope<>
post/accounts/{account_id}/devices/dex_tests

Create a DEX test.

Delete Device DEX Test -> Envelope<{ dex_tests }>
delete/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Delete a Device DEX test. Returns the remaining device dex tests for the account.

Get Device DEX Test -> Envelope<>
get/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Fetch a single DEX test.

List Device DEX Tests -> SinglePage<>
get/accounts/{account_id}/devices/dex_tests

Fetch all DEX tests.

Update Device DEX Test -> Envelope<>
put/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Update a DEX test.

Domain types

DEXTest = { data, enabled, interval, 5 more... }
SchemaData = { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

SchemaHTTP = { data, enabled, interval, 5 more... }
Zero TrustDevices

Fleet Status

zero_trust.devices.fleet_status

Methods

Get The Live Status Of A Latest Device -> { colo, deviceId, mode, 35 more... }
get/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

Get the live status of a latest device given device_id from the device_state table

zero_trust.devices.networks

Methods

Create A Device Managed Network -> Envelope<>
post/accounts/{account_id}/devices/networks

Creates a new device managed network.

Delete A Device Managed Network -> Envelope<Array<>>
delete/accounts/{account_id}/devices/networks/{network_id}

Deletes a device managed network and fetches a list of the remaining device managed networks for an account.

Get Device Managed Network Details -> Envelope<>
get/accounts/{account_id}/devices/networks/{network_id}

Fetches details for a single managed network.

List Your Device Managed Networks -> SinglePage<>
get/accounts/{account_id}/devices/networks

Fetches a list of managed networks for an account.

Update A Device Managed Network -> Envelope<>
put/accounts/{account_id}/devices/networks/{network_id}

Updates a configured device managed network.

Domain types

DeviceNetwork = { config, name, network_id, 1 more... }
Zero TrustDevices

Override Codes

zero_trust.devices.override_codes

Methods

Get An Admin Override Code For A Device -> Envelope<{ disable_for_time }>
get/accounts/{account_id}/devices/{device_id}/override_codes

Fetches a one-time use admin override code for a device. This relies on the Admin Override setting being enabled in your device configuration.

zero_trust.devices.policies

Domain types

DevicePolicyCertificates = { enabled }
FallbackDomain = { suffix, description, dns_server }
FallbackDomainPolicy = Array<>
SettingsPolicy = { allow_mode_switch, allow_updates, allowed_to_leave, 22 more... }
SplitTunnelExclude = { address, description, host }
SplitTunnelInclude = { address, description, host }

zero_trust.devices.policies.custom

Methods

Create A Device Settings Profile -> Envelope<>
post/accounts/{account_id}/devices/policy

Creates a device settings profile to be applied to certain devices matching the criteria.

Delete A Device Settings Profile -> Envelope<Array<>>
delete/accounts/{account_id}/devices/policy/{policy_id}

Deletes a device settings profile and fetches a list of the remaining profiles for an account.

Update A Device Settings Profile -> Envelope<>
patch/accounts/{account_id}/devices/policy/{policy_id}

Updates a configured device settings profile.

Get Device Settings Profile By ID -> Envelope<>
get/accounts/{account_id}/devices/policy/{policy_id}

Fetches a device settings profile by ID.

List Device Settings Profiles -> SinglePage<>
get/accounts/{account_id}/devices/policies

Fetches a list of the device settings profiles for an account.

zero_trust.devices.policies.custom.excludes

Methods

Get The Split Tunnel Exclude List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/exclude

Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile.

Set The Split Tunnel Exclude List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/exclude

Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile.

zero_trust.devices.policies.custom.fallback_domains

Methods

Get The Local Domain Fallback List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead.

Set The Local Domain Fallback List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile.

zero_trust.devices.policies.custom.includes

Methods

Get The Split Tunnel Include List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/include

Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile.

Set The Split Tunnel Include List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/include

Sets the list of routes included in the WARP client's tunnel for a specific device settings profile.

zero_trust.devices.policies.default

Methods

Update The Default Device Settings Profile -> Envelope<{ allow_mode_switch, allow_updates, allowed_to_leave, 14 more... }>
patch/accounts/{account_id}/devices/policy

Updates the default device settings profile for an account.

Get The Default Device Settings Profile -> Envelope<{ allow_mode_switch, allow_updates, allowed_to_leave, 14 more... }>
get/accounts/{account_id}/devices/policy

Fetches the default device settings profile for an account.

zero_trust.devices.policies.default.certificates

Methods

Update Device Certificate Provisioning Status -> Envelope<unknown>
patch/zones/{zone_id}/devices/policy/certificates

Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session.

Get Device Certificate Provisioning Status -> Envelope<unknown>
get/zones/{zone_id}/devices/policy/certificates

Fetches device certificate provisioning

zero_trust.devices.policies.default.excludes

Methods

Get The Split Tunnel Exclude List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/exclude

Fetches the list of routes excluded from the WARP client's tunnel.

Set The Split Tunnel Exclude List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/exclude

Sets the list of routes excluded from the WARP client's tunnel.

zero_trust.devices.policies.default.fallback_domains

Methods

Get Your Local Domain Fallback List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/fallback_domains

Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.

Set Your Local Domain Fallback List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/fallback_domains

Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.

zero_trust.devices.policies.default.includes

Methods

Get The Split Tunnel Include List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/include

Fetches the list of routes included in the WARP client's tunnel.

Set The Split Tunnel Include List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/include

Sets the list of routes included in the WARP client's tunnel.

zero_trust.devices.posture

Methods

Create A Device Posture Rule -> Envelope<>
post/accounts/{account_id}/devices/posture

Creates a new device posture rule.

Delete A Device Posture Rule -> Envelope<{ id }>
delete/accounts/{account_id}/devices/posture/{rule_id}

Deletes a device posture rule.

Get Device Posture Rule Details -> Envelope<>
get/accounts/{account_id}/devices/posture/{rule_id}

Fetches a single device posture rule.

List Device Posture Rules -> SinglePage<>
get/accounts/{account_id}/devices/posture

Fetches device posture rules for a Zero Trust account.

Update A Device Posture Rule -> Envelope<>
put/accounts/{account_id}/devices/posture/{rule_id}

Updates a device posture rule.

Domain types

CarbonblackInput = string
ClientCertificateInput = { certificate_id, cn }
CrowdstrikeInput = { connection_id, last_seen, operator, 6 more... }
DeviceInput = | | | 15 more...

The value to be checked against.

DeviceMatch = { platform }
DevicePostureRule = { id, description, expiration, 5 more... }
DiskEncryptionInput = { checkDisks, requireAll }
DomainJoinedInput = { operating_system, domain }
FileInput = { operating_system, path, exists, 2 more... }
FirewallInput = { enabled, operating_system }
IntuneInput = { compliance_status, connection_id }
KolideInput = { connection_id, countOperator, issue_count }
OSVersionInput = { operating_system, operator, version, 3 more... }
SentineloneInput = { operating_system, path, sha256, 1 more... }
SentineloneS2sInput = { connection_id, active_threats, infected, 4 more... }
TaniumInput = { connection_id, eid_last_seen, operator, 3 more... }
UniqueClientIDInput = { id, operating_system }
WorkspaceOneInput = { compliance_status, connection_id }

zero_trust.devices.posture.integrations

Methods

Create A Device Posture Integration -> Envelope<>
post/accounts/{account_id}/devices/posture/integration

Create a new device posture integration.

Delete A Device Posture Integration -> Envelope<unknown>
delete/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a configured device posture integration.

Update A Device Posture Integration -> Envelope<>
patch/accounts/{account_id}/devices/posture/integration/{integration_id}

Updates a configured device posture integration.

Get Device Posture Integration Details -> Envelope<>
get/accounts/{account_id}/devices/posture/integration/{integration_id}

Fetches details for a single device posture integration.

List Your Device Posture Integrations -> SinglePage<>
get/accounts/{account_id}/devices/posture/integration

Fetches the list of device posture integrations for an account.

Domain types

Integration = { id, config, interval, 2 more... }

zero_trust.devices.revoke

Methods

Revoke Devices -> Envelope<unknown>
post/accounts/{account_id}/devices/revoke

Revokes a list of devices.

zero_trust.devices.settings

Methods

Patch Device Settings For A Zero Trust Account -> Envelope<>
patch/accounts/{account_id}/devices/settings

Patches the current device settings for a Zero Trust account.

Get Device Settings For A Zero Trust Account -> Envelope<>
get/accounts/{account_id}/devices/settings

Describes the current device settings for a Zero Trust account.

Update Device Settings For A Zero Trust Account -> Envelope<>
put/accounts/{account_id}/devices/settings

Updates the current device settings for a Zero Trust account.

Domain types

DeviceSettings = { disable_for_time, gateway_proxy_enabled, gateway_udp_proxy_enabled, 2 more... }

zero_trust.devices.unrevoke

Methods

Unrevoke Devices -> Envelope<unknown>
post/accounts/{account_id}/devices/unrevoke

Unrevokes a list of devices.

zero_trust.dex

Domain types

DigitalExperienceMonitor = { id, default, name }
NetworkPath = { slots, sampling }
NetworkPathResponse = { id, deviceName, interval, 4 more... }
Percentiles = { p50, p90, p95, 1 more... }

zero_trust.dex.colos

Methods

List Cloudflare Colos -> SinglePage<unknown>
get/accounts/{account_id}/dex/colos

List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically.

zero_trust.dex.commands

Methods

Create Account Commands -> Envelope<{ commands }>
post/accounts/{account_id}/dex/commands

Initiate commands for up to 10 devices per account

List Account Commands -> V4PagePagination<{ commands }>
get/accounts/{account_id}/dex/commands

Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters

zero_trust.dex.commands.devices

Methods

List Devices Eligible For Remote Captures -> V4PagePagination<{ devices }>
get/accounts/{account_id}/dex/commands/devices

List devices with WARP client support for remote captures which have been connected in the last 1 hour.

zero_trust.dex.commands.downloads

Methods

Download Command Output File -> unknown
get/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}

Downloads artifacts for an executed command. Bulk downloads are not supported

zero_trust.dex.commands.quota

Methods

Returns Account Commands Usage Quota And Reset Time -> Envelope<{ quota, quota_usage, reset_time }>
get/accounts/{account_id}/dex/commands/quota

Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset

zero_trust.dex.commands.users

Methods

List Of User Emails Associated With Devices Eligible For Remote Captures -> Envelope<{ userEmails }>
get/accounts/{account_id}/dex/commands/users

List users emails associated with devices with WARP client support for remote captures which have been connected in the last 1 hour.

Zero TrustDEX

Fleet Status

zero_trust.dex.fleet_status

Methods

List Fleet Status Details By Dimension -> Envelope<{ deviceStats }>
get/accounts/{account_id}/dex/fleet-status/live

List details for live (up to 60 minutes) devices using WARP

List Fleet Status Aggregate Details By Dimension ->
get/accounts/{account_id}/dex/fleet-status/over-time

List details for devices using WARP, up to 7 days

Domain types

LiveStat = { uniqueDevicesTotal, value }

zero_trust.dex.fleet_status.devices

Methods

List Fleet Status Devices -> V4PagePaginationArray<{ colo, deviceId, mode, 35 more... }>
get/accounts/{account_id}/dex/fleet-status/devices

List details for devices using WARP

Zero TrustDEX

HTTP Tests

zero_trust.dex.http_tests

Methods

Get Details And Aggregate Metrics For An HTTP Test -> Envelope<>
get/accounts/{account_id}/dex/http-tests/{test_id}

Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days.

Domain types

HTTPDetails = { host, httpStats, httpStatsByColo, 6 more... }

zero_trust.dex.http_tests.percentiles

Methods

Get Percentiles For An HTTP Test -> Envelope<>
get/accounts/{account_id}/dex/http-tests/{test_id}/percentiles

Get percentiles for an http test for a given time period between 1 hour and 7 days.

Domain types

HTTPDetailsPercentiles = { dnsResponseTimeMs, resourceFetchTimeMs, serverResponseTimeMs }
TestStatOverTime = { slots, avg, max, 1 more... }

zero_trust.dex.tests

Methods

List DEX Test Analytics -> V4PagePagination<>
get/accounts/{account_id}/dex/tests/overview

List DEX tests with overview metrics

Domain types

AggregateTimePeriod = { units, value }
Tests = { overviewMetrics, tests }
Zero TrustDEXTests

Unique Devices

zero_trust.dex.tests.unique_devices

Methods

Get Count Of Devices Targeted -> Envelope<>
get/accounts/{account_id}/dex/tests/unique-devices

Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days.

Domain types

UniqueDevices = { uniqueDevicesTotal }
Zero TrustDEX

Traceroute Test Results

zero_trust.dex.traceroute_test_results

zero_trust.dex.traceroute_test_results.network_path

Methods

Get Details For A Specific Traceroute Test Run -> Envelope<{ hops, resultId, deviceName, 2 more... }>
get/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path

Get a breakdown of hops and performance metrics for a specific traceroute test run

Zero TrustDEX

Traceroute Tests

zero_trust.dex.traceroute_tests

Methods

Get Details And Aggregate Metrics For A Traceroute Test -> Envelope<>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}

Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days.

Get Network Path Breakdown For A Traceroute Test -> Envelope<>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path

Get a breakdown of metrics by hop for individual traceroute test runs

Get Percentiles For A Traceroute Test -> Envelope<{ hopsCount, packetLossPct, roundTripTimeMs }>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles

Get percentiles for a traceroute test for a given time period between 1 hour and 7 days.

Domain types

Traceroute = { host, interval, kind, 5 more... }

zero_trust.dlp

zero_trust.dlp.datasets

Methods

Create A New Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets

Create a new dataset

Delete A Dataset ->
delete/accounts/{account_id}/dlp/datasets/{dataset_id}

This deletes all versions of the dataset.

Fetch A Specific Dataset -> Envelope<>
get/accounts/{account_id}/dlp/datasets/{dataset_id}

Fetch a specific dataset

Fetch All Datasets -> SinglePage<>
get/accounts/{account_id}/dlp/datasets

Fetch all datasets

Update Details About A Dataset -> Envelope<>
put/accounts/{account_id}/dlp/datasets/{dataset_id}

Update details about a dataset

Domain types

Dataset = { id, columns, created_at, 8 more... }
DatasetArray = Array<>
DatasetCreation = { dataset, encoding_version, max_cells, 2 more... }

zero_trust.dlp.datasets.upload

Methods

Prepare To Upload A New Version Of A Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/upload

Prepare to upload a new version of a dataset

Upload A New Version Of A Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}

This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched.

Domain types

NewVersion = { encoding_version, max_cells, version, 2 more... }

zero_trust.dlp.datasets.versions

Methods

Sets The Column Information For A Multi Column Upload -> Envelope<Array<{ entry_id, header_name, num_cells, 1 more... }>>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}

This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request.

zero_trust.dlp.datasets.versions.entries

Methods

Upload A New Version Of A Multi Column Dataset -> Envelope<{ entry_id, header_name, num_cells, 1 more... }>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}

This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard.

zero_trust.dlp.email

Zero TrustDLPEmail

Account Mapping

zero_trust.dlp.email.account_mapping

Methods

Create Mapping -> Envelope<{ addin_identifier_token, auth_requirements }>
post/accounts/{account_id}/dlp/email/account_mapping

Create mapping

Get Mapping -> Envelope<{ addin_identifier_token, auth_requirements }>
get/accounts/{account_id}/dlp/email/account_mapping

Get mapping

zero_trust.dlp.email.rules

Methods

Update Email Scanner Rule Priorities -> Envelope<{ action, conditions, created_at, 6 more... }>
patch/accounts/{account_id}/dlp/email/rules

Update email scanner rule priorities

Create Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
post/accounts/{account_id}/dlp/email/rules

Create email scanner rule

Delete Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
delete/accounts/{account_id}/dlp/email/rules/{rule_id}

Delete email scanner rule

Get An Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
get/accounts/{account_id}/dlp/email/rules/{rule_id}

Get an email scanner rule

List All Email Scanner Rules -> SinglePage<{ action, conditions, created_at, 6 more... }>
get/accounts/{account_id}/dlp/email/rules

Lists all email scanner rules for an account.

Update Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
put/accounts/{account_id}/dlp/email/rules/{rule_id}

Update email scanner rule

zero_trust.dlp.entries

Methods

Create Custom Entry -> Envelope<{ id, created_at, enabled, 4 more... }>
post/accounts/{account_id}/dlp/entries

Creates a DLP custom entry.

Delete Custom Entry -> Envelope<unknown>
delete/accounts/{account_id}/dlp/entries/{entry_id}

Deletes a DLP custom entry.

Get DLP Entry -> Envelope<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
get/accounts/{account_id}/dlp/entries/{entry_id}

Fetches a DLP entry by ID

List All Entries -> SinglePage<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
get/accounts/{account_id}/dlp/entries

Lists all DLP entries in an account.

Update Entry -> Envelope<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
put/accounts/{account_id}/dlp/entries/{entry_id}

Updates a DLP entry.

zero_trust.dlp.limits

Methods

Fetch Limits Associated With DLP For Account -> Envelope<{ max_dataset_cells }>
get/accounts/{account_id}/dlp/limits

Fetch limits associated with DLP for account

zero_trust.dlp.patterns

Methods

Validate A DLP Regex Pattern -> Envelope<{ valid }>
post/accounts/{account_id}/dlp/patterns/validate

Validates whether this pattern is a valid regular expression. Rejects it if the regular expression is too complex or can match an unbounded-length string. The regex will be rejected if it uses * or +. Bound the maximum number of characters that can be matched using a range, e.g. {1,100}.

Zero TrustDLP

Payload Logs

zero_trust.dlp.payload_logs

Methods

Get Payload Log Settings -> Envelope<{ updated_at, public_key }>
get/accounts/{account_id}/dlp/payload_log

Get payload log settings

Set Payload Log Settings -> Envelope<{ updated_at, public_key }>
put/accounts/{account_id}/dlp/payload_log

Set payload log settings

zero_trust.dlp.profiles

Methods

Get DLP Profile -> Envelope<>
get/accounts/{account_id}/dlp/profiles/{profile_id}

Fetches a DLP profile by ID

List All Profiles -> SinglePage<>
get/accounts/{account_id}/dlp/profiles

Lists all DLP profiles in an account.

Domain types

ContextAwareness = { enabled, skip }

Scan the context of predefined entries to only return matches surrounded by keywords.

Profile = { id, allowed_match_count, context_awareness, 8 more... } | { id, allowed_match_count, entries, 6 more... } | { id, created_at, entries, 4 more... }
SkipConfiguration = { files }

Content types to exclude from context analysis and return all matches.

zero_trust.dlp.profiles.custom

Methods

Create Custom Profile -> Envelope<{ id, allowed_match_count, context_awareness, 8 more... } | { id, allowed_match_count, entries, 6 more... } | { id, created_at, entries, 4 more... } | 1 more...>
post/accounts/{account_id}/dlp/profiles/custom

Creates a DLP custom profile.

Security

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example: Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

Parameters
account_id: string
Response fields
errors: Array<>
messages: Array<>
success: true

Whether the API call was successful

result: { id, allowed_match_count, context_awareness, 8 more... } | { id, allowed_match_count, entries, 6 more... } | { id, created_at, entries, 4 more... } | 1 more...
Optional
Request example
200Example
Delete Custom Profile -> Envelope<unknown>
delete/accounts/{account_id}/dlp/profiles/custom/{profile_id}

Deletes a DLP custom profile.

Get Custom Profile -> Envelope<>
get/accounts/{account_id}/dlp/profiles/custom/{profile_id}

Fetches a custom DLP profile by id.

Update Custom Profile -> Envelope<>
put/accounts/{account_id}/dlp/profiles/custom/{profile_id}

Updates a DLP custom profile.

Domain types

CustomProfile = { id, allowed_match_count, context_awareness, 7 more... }
Pattern = { regex, validation }

zero_trust.dlp.profiles.predefined

Methods

Get Predefined Profile -> Envelope<>
get/accounts/{account_id}/dlp/profiles/predefined/{profile_id}

Fetches a predefined DLP profile by id.

Update Predefined Profile -> Envelope<>
put/accounts/{account_id}/dlp/profiles/predefined/{profile_id}

Updates a DLP predefined profile. Only supports enabling/disabling entries.

Domain types

PredefinedProfile = { id, allowed_match_count, entries, 5 more... }
Zero Trust

Gateway

zero_trust.gateway

Methods

Create Zero Trust Account -> Envelope<{ id, gateway_tag, provider_name }>
post/accounts/{account_id}/gateway

Creates a Zero Trust account with an existing Cloudflare account.

Get Zero Trust Account Information -> Envelope<{ id, gateway_tag, provider_name }>
get/accounts/{account_id}/gateway

Gets information about the current Zero Trust account.

zero_trust.gateway.app_types

Methods

List Application And Application Type Mappings -> SinglePage<>
get/accounts/{account_id}/gateway/app_types

Fetches all application and application type mappings.

Domain types

AppType = { id, application_type_id, created_at, 1 more... } | { id, created_at, description, 1 more... }
Zero TrustGateway

Audit SSH Settings

zero_trust.gateway.audit_ssh_settings

Methods

Get Zero Trust SSH Settings -> Envelope<>
get/accounts/{account_id}/gateway/audit_ssh_settings

Gets all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.

Rotate Zero Trust SSH Account Seed -> Envelope<>
post/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed

Rotates the SSH account seed that is used for generating the host key identity when connecting through the Cloudflare SSH Proxy.

Update Zero Trust SSH Settings -> Envelope<>
put/accounts/{account_id}/gateway/audit_ssh_settings

Updates Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.

Domain types

GatewaySettings = { created_at, public_key, seed_id, 1 more... }

zero_trust.gateway.categories

Methods

List Categories -> SinglePage<>
get/accounts/{account_id}/gateway/categories

Fetches a list of all categories.

Domain types

Category = { id, beta, class, 3 more... }
Zero TrustGateway

Certificates

zero_trust.gateway.certificates

Methods

Activate A Zero Trust Certificate -> Envelope<{ id, binding_status, certificate, 9 more... }>
post/accounts/{account_id}/gateway/certificates/{certificate_id}/activate

Binds a single Zero Trust certificate to the edge.

Create Zero Trust Certificate -> Envelope<{ id, binding_status, certificate, 9 more... }>
post/accounts/{account_id}/gateway/certificates

Creates a new Zero Trust certificate.

Deactivate A Zero Trust Certificate -> Envelope<{ id, binding_status, certificate, 9 more... }>
post/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate

Unbinds a single Zero Trust certificate from the edge

Delete Zero Trust Certificate -> Envelope<{ id, binding_status, certificate, 9 more... }>
delete/accounts/{account_id}/gateway/certificates/{certificate_id}

Deletes a gateway-managed Zero Trust certificate. A certificate must be deactivated from the edge (inactive) before it is deleted.

Get Zero Trust Certificate Details -> Envelope<{ id, binding_status, certificate, 9 more... }>
get/accounts/{account_id}/gateway/certificates/{certificate_id}

Fetches a single Zero Trust certificate.

List Zero Trust Certificates -> SinglePage<{ id, binding_status, certificate, 9 more... }>
get/accounts/{account_id}/gateway/certificates

Fetches all Zero Trust certificates for an account.

Zero TrustGateway

Configurations

zero_trust.gateway.configurations

Methods

Patch Zero Trust Account Configuration -> Envelope<{ created_at, settings, updated_at }>
patch/accounts/{account_id}/gateway/configuration

Patches the current Zero Trust account configuration. This endpoint can update a single subcollection of settings such as antivirus, tls_decrypt, activity_log, block_page, browser_isolation, fips, body_scanning, or certificate, without updating the entire configuration object. Returns an error if any collection of settings is not properly configured.

Get Zero Trust Account Configuration -> Envelope<{ created_at, settings, updated_at }>
get/accounts/{account_id}/gateway/configuration

Fetches the current Zero Trust account configuration.

Update Zero Trust Account Configuration -> Envelope<{ created_at, settings, updated_at }>
put/accounts/{account_id}/gateway/configuration

Updates the current Zero Trust account configuration.

Domain types

ActivityLogSettings = { enabled }

Activity log settings.

AntiVirusSettings = { enabled_download_phase, enabled_upload_phase, fail_closed, 1 more... }

Anti-virus settings.

BlockPageSettings = { background_color, enabled, footer_text, 6 more... }

Block page layout settings.

BodyScanningSettings = { inspection_mode }

DLP body scanning settings.

BrowserIsolationSettings = { non_identity_enabled, url_browser_isolation_enabled }

Browser isolation settings.

CustomCertificateSettings = { enabled, id, binding_status, 1 more... }

Custom certificate settings for BYO-PKI. (deprecated and replaced by certificate)

ExtendedEmailMatching = { enabled }

Extended e-mail matching settings.

FipsSettings = { tls }

FIPS settings.

GatewayConfigurationSettings = { activity_log, antivirus, block_page, 9 more... }

Account settings

NotificationSettings = { enabled, msg, support_url }

Configure a message to display on the user's device when an antivirus search is performed.

ProtocolDetection = { enabled }

Protocol Detection settings.

TLSSettings = { enabled }

TLS interception settings.

zero_trust.gateway.configurations.custom_certificate

Methods

Get Zero Trust Certificate Configuration ->
get/accounts/{account_id}/gateway/configuration/custom_certificate

Fetches the current Zero Trust certificate configuration.

zero_trust.gateway.lists

Methods

Create Zero Trust List -> Envelope<{ id, created_at, description, 4 more... }>
post/accounts/{account_id}/gateway/lists

Creates a new Zero Trust list.

Delete Zero Trust List -> Envelope<unknown>
delete/accounts/{account_id}/gateway/lists/{list_id}

Deletes a Zero Trust list.

Patch Zero Trust List -> Envelope<>
patch/accounts/{account_id}/gateway/lists/{list_id}

Appends or removes an item from a configured Zero Trust list.

Get Zero Trust List Details -> Envelope<>
get/accounts/{account_id}/gateway/lists/{list_id}

Fetches a single Zero Trust list.

List Zero Trust Lists -> SinglePage<>
get/accounts/{account_id}/gateway/lists

Fetches all Zero Trust lists for an account.

Update Zero Trust List -> Envelope<>
put/accounts/{account_id}/gateway/lists/{list_id}

Updates a configured Zero Trust list. Skips updating list items if not included in the payload.

Domain types

GatewayItem = { created_at, description, value }
GatewayList = { id, count, created_at, 4 more... }

zero_trust.gateway.lists.items

Methods

Get Zero Trust List Items -> SinglePage<Array<>>
get/accounts/{account_id}/gateway/lists/{list_id}/items

Fetches all items in a single Zero Trust list.

zero_trust.gateway.locations

Methods

Create A Zero Trust Gateway Location -> Envelope<>
post/accounts/{account_id}/gateway/locations

Creates a new Zero Trust Gateway location.

Delete A Zero Trust Gateway Location -> Envelope<unknown>
delete/accounts/{account_id}/gateway/locations/{location_id}

Deletes a configured Zero Trust Gateway location.

Get Zero Trust Gateway Location Details -> Envelope<>
get/accounts/{account_id}/gateway/locations/{location_id}

Fetches a single Zero Trust Gateway location.

List Zero Trust Gateway Locations -> SinglePage<>
get/accounts/{account_id}/gateway/locations

Fetches Zero Trust Gateway locations for an account.

Update A Zero Trust Gateway Location -> Envelope<>
put/accounts/{account_id}/gateway/locations/{location_id}

Updates a configured Zero Trust Gateway location.

Domain types

DOHEndpoint = { enabled, networks, require_token }
DOTEndpoint = { enabled, networks }
Endpoint = { doh, dot, ipv4, 1 more... }

The destination endpoints configured for this location. When updating a location, if this field is absent or set with null, the endpoints configuration remains unchanged.

IPNetwork = { network }
IPV4Endpoint = { enabled }
IPV6Endpoint = { enabled, networks }
IPV6Network = { network }
Location = { id, client_default, created_at, 11 more... }

zero_trust.gateway.logging

Methods

Get Logging Settings For The Zero Trust Account -> Envelope<>
get/accounts/{account_id}/gateway/logging

Fetches the current logging settings for Zero Trust account.

Update Zero Trust Account Logging Settings -> Envelope<>
put/accounts/{account_id}/gateway/logging

Updates logging settings for the current Zero Trust account.

Domain types

LoggingSetting = { redact_pii, settings_by_rule_type }
Zero TrustGateway

Proxy Endpoints

zero_trust.gateway.proxy_endpoints

Methods

Create A Proxy Endpoint -> Envelope<>
post/accounts/{account_id}/gateway/proxy_endpoints

Creates a new Zero Trust Gateway proxy endpoint.

Delete A Proxy Endpoint -> Envelope<unknown>
delete/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Deletes a configured Zero Trust Gateway proxy endpoint.

Update A Proxy Endpoint -> Envelope<>
patch/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Updates a configured Zero Trust Gateway proxy endpoint.

Get A Proxy Endpoint -> Envelope<Array<>>
get/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Fetches a single Zero Trust Gateway proxy endpoint.

List Proxy Endpoints -> Envelope<>
get/accounts/{account_id}/gateway/proxy_endpoints

Fetches all Zero Trust Gateway proxy endpoints for an account.

Domain types

GatewayIPs = string

The IPv4 CIDR or IPv6 CIDR. IPv6 CIDRs are limited to a maximum of /109. IPv4 CIDRs are limited to a maximum of /25.

ProxyEndpoint = { id, created_at, ips, 3 more... }

zero_trust.gateway.rules

Methods

Create A Zero Trust Gateway Rule -> Envelope<>
post/accounts/{account_id}/gateway/rules

Creates a new Zero Trust Gateway rule.

Delete A Zero Trust Gateway Rule -> Envelope<unknown>
delete/accounts/{account_id}/gateway/rules/{rule_id}

Deletes a Zero Trust Gateway rule.

Get Zero Trust Gateway Rule Details -> Envelope<>
get/accounts/{account_id}/gateway/rules/{rule_id}

Fetches a single Zero Trust Gateway rule.

List Zero Trust Gateway Rules -> SinglePage<>
get/accounts/{account_id}/gateway/rules

Fetches the Zero Trust Gateway rules for an account.

Reset The Expiration Of A Zero Trust Gateway Rule -> Envelope<>
post/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration

Resets the expiration of a Zero Trust Gateway Rule if its duration has elapsed and it has a default duration.

The Zero Trust Gateway Rule must have values for both expiration.expires_at and expiration.duration.

Update A Zero Trust Gateway Rule -> Envelope<>
put/accounts/{account_id}/gateway/rules/{rule_id}

Updates a configured Zero Trust Gateway rule.

Domain types

DNSResolverSettingsV4 = { ip, port, route_through_private_network, 1 more... }
DNSResolverSettingsV6 = { ip, port, route_through_private_network, 1 more... }
GatewayFilter = "http" | "dns" | "l4" | 1 more...

The protocol or layer to use.

GatewayRule = { id, action, created_at, 14 more... }
RuleSetting = { add_headers, allow_child_bypass, audit_ssh, 20 more... }

Additional settings that modify the rule's action.

Schedule = { fri, mon, sat, 5 more... }

The schedule for activating DNS policies. This does not apply to HTTP or network policies.

Zero Trust

Identity Providers

zero_trust.identity_providers

Methods

Add An Access Identity Provider -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/identity_providers

Adds a new identity provider to Access.

Delete An Access Identity Provider -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Deletes an identity provider from Access.

Get An Access Identity Provider -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Fetches a configured identity provider.

List Access Identity Providers -> SinglePage< | { config, name, type, 2 more... } | { config, name, type, 2 more... } | 10 more...>
get/{account_or_zone}/{account_or_zone_id}/access/identity_providers

Lists all configured identity providers.

Update An Access Identity Provider -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Updates a configured identity provider.

Domain types

AzureAD = { config, name, type, 2 more... }
GenericOAuthConfig = { client_id, client_secret }
IdentityProvider = | { config, name, type, 2 more... } | { config, name, type, 2 more... } | 11 more...
IdentityProviderSCIMConfig = { enabled, identity_update_behavior, scim_base_url, 3 more... }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

IdentityProviderType = "onetimepin" | "azureAD" | "saml" | 11 more...

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

Zero Trust

Networks

zero_trust.networks

zero_trust.networks.routes

Methods

Create A Tunnel Route -> Envelope<>
post/accounts/{account_id}/teamnet/routes

Routes a private network through a Cloudflare Tunnel.

Delete A Tunnel Route -> Envelope<>
delete/accounts/{account_id}/teamnet/routes/{route_id}

Deletes a private network route from an account.

Update A Tunnel Route -> Envelope<>
patch/accounts/{account_id}/teamnet/routes/{route_id}

Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request.

Get Tunnel Route -> Envelope<>
get/accounts/{account_id}/teamnet/routes/{route_id}

Get a private network route in an account.

List Tunnel Routes -> V4PagePaginationArray<>
get/accounts/{account_id}/teamnet/routes

Lists and filters private network routes in an account.

Domain types

NetworkRoute = { id, comment, created_at, 4 more... }
Route = { id, comment, created_at, 4 more... }
Teamnet = { id, comment, created_at, 7 more... }

zero_trust.networks.routes.ips

Methods

Get Tunnel Route By IP -> Envelope<>
get/accounts/{account_id}/teamnet/routes/ip/{ip}

Fetches routes that contain the given IP address.

zero_trust.networks.routes.networks

Methods

Create A Tunnel Route CIDR Endpoint -> Envelope<>
post/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Routes a private network through a Cloudflare Tunnel. The CIDR in ip_network_encoded must be written in URL-encoded format.

Delete A Tunnel Route CIDR Endpoint -> Envelope<>
delete/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Deletes a private network route from an account. The CIDR in ip_network_encoded must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type.

Update A Tunnel Route CIDR Endpoint -> Envelope<>
patch/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Updates an existing private network route in an account. The CIDR in ip_network_encoded must be written in URL-encoded format.

Zero TrustNetworks

Virtual Networks

zero_trust.networks.virtual_networks

Methods

Create A Virtual Network -> Envelope<>
post/accounts/{account_id}/teamnet/virtual_networks

Adds a new virtual network to an account.

Delete A Virtual Network -> Envelope<>
delete/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

Deletes an existing virtual network.

Update A Virtual Network -> Envelope<>
patch/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

Updates an existing virtual network.

Get A Virtual Network -> Envelope<>
get/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

Get a virtual network.

List Virtual Networks -> SinglePage<>
get/accounts/{account_id}/teamnet/virtual_networks

Lists and filters virtual networks in an account.

Domain types

VirtualNetwork = { id, comment, created_at, 3 more... }
Zero Trust

Organizations

zero_trust.organizations

Methods

Create Your Zero Trust Organization -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/organizations

Sets up a Zero Trust organization for your account or zone.

Get Your Zero Trust Organization -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/organizations

Returns the configuration for your Zero Trust organization.

Revoke All Access Tokens For A User -> Envelope<true | false>
post/{account_or_zone}/{account_or_zone_id}/access/organizations/revoke_user

Revokes a user's access across all applications.

Update Your Zero Trust Organization -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/organizations

Updates the configuration for your Zero Trust organization.

Domain types

LoginDesign = { background_color, footer_text, header_text, 2 more... }
Organization = { allow_authenticate_via_warp, auth_domain, auto_redirect_to_identity, 10 more... }

zero_trust.organizations.doh

Methods

Get Your Zero Trust Organization Do H Settings -> Envelope<{ id, client_id, created_at, 5 more... }>
get/accounts/{account_id}/access/organizations/doh

Returns the DoH settings for your Zero Trust organization.

Update Your Zero Trust Organization Do H Settings -> Envelope<{ id, client_id, created_at, 5 more... }>
put/accounts/{account_id}/access/organizations/doh

Updates the DoH settings for your Zero Trust organization.

Zero Trust

Risk Scoring

zero_trust.risk_scoring

Methods

Get Risk Event Score Information For A Specific User -> Envelope<{ email, events, name, 2 more... }>
get/accounts/{account_id}/zt_risk_scoring/{user_id}

Get risk event/score information for a specific user

Clear The Risk Score For A Particular User -> Envelope<unknown>
post/accounts/{account_id}/zt_risk_scoring/{user_id}/reset

Clear the risk score for a particular user

zero_trust.risk_scoring.behaviours

Methods

Get All Behaviors And Associated Configuration -> Envelope<{ behaviors }>
get/accounts/{account_id}/zt_risk_scoring/behaviors

Get all behaviors and associated configuration

Update Configuration For Risk Behaviors -> Envelope<{ behaviors }>
put/accounts/{account_id}/zt_risk_scoring/behaviors

Update configuration for risk behaviors

zero_trust.risk_scoring.integrations

Methods

Create New Risk Score Integration -> Envelope<{ id, account_tag, active, 5 more... }>
post/accounts/{account_id}/zt_risk_scoring/integrations

Create new risk score integration.

Delete A Risk Score Integration -> Envelope<unknown>
delete/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Delete a risk score integration.

Get Risk Score Integration By ID -> Envelope<{ id, account_tag, active, 5 more... }>
get/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Get risk score integration by id.

List All Risk Score Integrations For The Account -> SinglePage<{ id, account_tag, active, 5 more... }>
get/accounts/{account_id}/zt_risk_scoring/integrations

List all risk score integrations for the account.

Update A Risk Score Integration -> Envelope<{ id, account_tag, active, 5 more... }>
put/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Overwrite the reference_id, tenant_url, and active values with the ones provided

zero_trust.risk_scoring.integrations.references

Methods

Get Risk Score Integration By Reference ID -> Envelope<{ id, account_tag, active, 5 more... }>
get/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}

Get risk score integration by reference id.

zero_trust.risk_scoring.summary

Methods

Get Risk Score Info For All Users In The Account -> Envelope<{ users }>
get/accounts/{account_id}/zt_risk_scoring/summary

Get risk score info for all users in the account

zero_trust.seats

Methods

Update A User Seat -> Envelope<Array<>>
patch/accounts/{account_id}/access/seats

Removes a user from a Zero Trust seat when both access_seat and gateway_seat are set to false.

Domain types

Seat = { access_seat, created_at, gateway_seat, 2 more... }
Zero Trust

Tunnels

zero_trust.tunnels

Methods

Create A Cloudflare Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
post/accounts/{account_id}/cfd_tunnel

Creates a new Cloudflare Tunnel in an account.

Delete A Cloudflare Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
delete/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Deletes a Cloudflare Tunnel from an account.

Update A Cloudflare Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
patch/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Updates an existing Cloudflare Tunnel.

Get A Cloudflare Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
get/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Fetches a single Cloudflare Tunnel.

List Cloudflare Tunnels -> V4PagePaginationArray< | { id, account_tag, connections, 8 more... }>
get/accounts/{account_id}/cfd_tunnel

Lists and filters Cloudflare Tunnels in an account.

Domain types

Connection = { colo_name, is_pending_reconnect, uuid }
Zero TrustTunnels

Configurations

zero_trust.tunnels.configurations

Methods

Get Configuration -> Envelope<{ account_id, config, created_at, 3 more... }>
get/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations

Gets the configuration for a remotely-managed tunnel

Put Configuration -> Envelope<{ account_id, config, created_at, 3 more... }>
put/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations

Adds or updates the configuration for a remotely-managed tunnel.

zero_trust.tunnels.connections

Methods

Clean Up Cloudflare Tunnel Connections -> Envelope<unknown>
delete/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections

Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens.

List Cloudflare Tunnel Connections -> Envelope<Array<>>
get/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections

Fetches connection details for a Cloudflare Tunnel.

Domain types

Client = { id, arch, config_version, 4 more... }

A client (typically cloudflared) that maintains connections to a Cloudflare data center.

zero_trust.tunnels.connectors

Methods

Get Cloudflare Tunnel Connector -> Envelope<>
get/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}

Fetches connector and connection details for a Cloudflare Tunnel.

zero_trust.tunnels.management

Methods

Get A Cloudflare Tunnel Management Token -> Envelope<string>
post/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management

Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel.

zero_trust.tunnels.token

Methods

Get A Cloudflare Tunnel Token -> Envelope<string>
get/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token

Gets the token used to associate cloudflared with a specific tunnel.

Zero TrustTunnels

WARP Connector

zero_trust.tunnels.warp_connector

Methods

Create A WARP Connector Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
post/accounts/{account_id}/warp_connector

Creates a new Warp Connector Tunnel in an account.

Delete A WARP Connector Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
delete/accounts/{account_id}/warp_connector/{tunnel_id}

Deletes a Warp Connector Tunnel from an account.

Update A WARP Connector Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
patch/accounts/{account_id}/warp_connector/{tunnel_id}

Updates an existing Warp Connector Tunnel.

Get A WARP Connector Tunnel -> Envelope< | { id, account_tag, connections, 8 more... }>
get/accounts/{account_id}/warp_connector/{tunnel_id}

Fetches a single Warp Connector Tunnel.

List WARP Connector Tunnels -> V4PagePaginationArray< | { id, account_tag, connections, 8 more... }>
get/accounts/{account_id}/warp_connector

Lists and filters Warp Connector Tunnels in an account.

Get A WARP Connector Tunnel Token -> Envelope<string>
get/accounts/{account_id}/warp_connector/{tunnel_id}/token

Gets the token used to associate warp device with a specific Warp Connector tunnel.